The photos that you have synced from your phone are automatically uploaded in the background to a private Facebook album, which is not visible to any of your Facebook friends or other Facebook users. However, you may can choose then to share photos from the album on your Facebook timeline or send them as a message to a friend.

It's something that reminds me of "The Fappenings" and "The Snappening" -- in which nude and personal photographs of top celebrities were leaked due to a security flaw in Apple's iCloud file storage service and unofficial Snapchat messaging service app, respectively.

In a blog post published today, Laxman explained that the vulnerability resides in the privilege mechanism that which applications are allowed to access sync photos using vaultimages API.

"The vulnerable part is, it just checks the owner of the access token and not the application which is making the request. So it allows any application with user_photos permission to read your mobile photos," Laxman wrote in a blog post.

Technically, Synced private photo album should be accessible by only Facebook's official app, but the vulnerability allows any 3rd party apps to get permission to read your personal synced photos.

Laxman previously disclosed a vulnerability in Facebook Graph API mechanism that allowed him to delete any photo album on Facebook owned by any user, any page or any group.

HOW TO DISABLE AUTO-SYNC

Though, Facebook has patched the vulnerability reported by Laxman and rewarded him with $10,000 under it’s bug bounty program, Facebook users are advised to turn off Facebook Photo Sync feature just to be on the safer side.

In order to do so, just go to Facebook mobile app menu, scroll down and select Account > App Settings > Sync Photos, then Choose 'Don't sync my photos.'